FinishResponseSubscriber could create duplicate headers

Created on 16 May 2021, about 3 years ago
Updated 12 January 2024, 5 months ago

Problem/Motivation

FinishResponseSubscriber::onRespond() sets some default values for headers.
When setting the values, it specifies the $replace parameter as FALSE, it appears with the intention to not overwrite any headers that have previously been set to the response object's headers.

However, the effect is that $replaces = FALSE instead appends an additional header of the same name, with the specified value.

This may not occur in most cases, assuming:
- modules which alter the headers subscribe with the same or lower priority as the core handler (and consequently execute after the core handler).
- modules set the header value with the parameter $replace == TRUE (which is the default) so that core's value is overwritten.

Steps to reproduce

Create an event subscriber, with a handler for the KernelEvents::RESPONSE event, with an increased priority (>0) that sets one of the following headers:
- X-Content-Type-Options
- X-Frame-Options

The resulting page response will have the default value appended to that of the test subscriber

HTTP/2 200 OK
...
x-ua-compatible: FOO=bar, IE=edge
...

Proposed resolution

Only set the header if a value has not already been set on the request.

Remaining tasks

API changes

Release notes snippet

๐Ÿ› Bug report
Status

Fixed

Version

10.2 โœจ

Component
Request processingย  โ†’

Last updated about 18 hours ago

No maintainer
Created by

๐Ÿ‡จ๐Ÿ‡ฆCanada gapple

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.69.0 2024